Techniques for providing service-based security per data network name in mobile networks (e.g., service provider networks for mobile subscribers) are disclosed. In some embodiments, a system/process/computer program product for service-based security per data network name in mobile networks in accordance with some embodiments includes monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network; extracting network name information for user traffic associated with the new session at the security platform; and determining a security policy to apply at the security platform to the new session based on the network name information.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A system, comprising: a processor configured to: monitor network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network, and wherein the monitoring of the network traffic comprises to: identify HTTP/2 messages in the network traffic; extract network name information for user traffic associated with the new session at the security platform; extract network slice information for user traffic associated with the new session at the security platform, comprising to: parse the HTTP/2 messages to obtain data type ‘SmContextCreateData’ or data type ‘PduSessionCreateData’; and extract Single Network Slice Selection Assistance Information (S-NSSAI) from the data type ‘SmContextCreateData’ or the data type ‘PduSessionCreateData’ to obtain the network slice information; and determine a security policy to apply at the security platform to the new session based on the network name information and the network slice information; and a memory coupled to the processor and configured to provide the processor with instructions.
2. The system recited in claim 1 , wherein the security platform is configured with a plurality of security policies based on the network name information.
3. The system recited in claim 1 , wherein the network name is identified by a Data Network Name (DNN).
4. The system recited in claim 1 , wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 4G and/or 5G network.
5. The system recited in claim 1 , wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 4G and/or 5G network to provide network name based security to subscribers and subscriber devices that connect to the service provider network using 5G radio access technology and handover from/to 5G radio access technologies to non-5G radio access technologies.
6. The system recited in claim 1 , wherein the security platform is configured to perform a firewall service using the network name information.
7. The system recited in claim 1 , wherein the security platform is configured to perform threat detection for known threats using the network name information.
8. The system recited in claim 1 , wherein the security platform is configured to perform advanced threat detection for unknown threats using the network name information.
9. The system recited in claim 1 , wherein the security platform is configured to perform Uniform Resource Link (URL) filtering using the network name information.
10. The system recited in claim 1 , wherein the security platform is configured to perform application Denial of Service (DoS) detection using the network name information.
11. The system recited in claim 1 , wherein the security platform is configured to perform application Denial of Service (DoS) prevention using the network name information.
12. The system recited in claim 1 , wherein the processor is further configured to: block the new session from accessing a resource based on the security policy.
13. A method, comprising: monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network, and wherein the monitoring of the network traffic comprises: identifying HTTP/2 messages in the network traffic; extracting network name information for user traffic associated with the new session at the security platform; extracting network slice information for user traffic associated with the new session at the security platform, comprising: parsing the HTTP/2 messages to obtain data type ‘SmContextCreateData’ or data type ‘PduSessionCreateData’; and extracting Single Network Slice Selection Assistance Information (S-NSSAI) from the data type ‘SmContextCreateData’ or the data type ‘PduSessionCreateData’ to obtain the network slice information; and determining a security policy to apply at the security platform to the new session based on the network name information and the network slice information.
14. The method of claim 13 , wherein the security platform is configured with a plurality of security policies based on the network name information.
15. The method of claim 13 , wherein the network name is identified by a Data Network Name (DNN).
16. The method of claim 13 , wherein the security platform monitors wireless interfaces including a plurality of interfaces for a control protocol and user data traffic in a mobile core network for a 4G and/or 5G network to provide network name based security to subscribers and subscriber devices that connect to the service provider network using 5G radio access technology and handover from/to 5G radio access technologies to non-5G radio access technologies.
17. A computer program product, the computer program product being embodied in a tangible computer readable storage medium and comprising computer instructions for: monitoring network traffic on a service provider network at a security platform to identify a new session, wherein the service provider network includes a 5G network or a converged 5G network, and wherein the monitoring of the network traffic comprises: identifying HTTP/2 messages in the network traffic; extracting network name information for user traffic associated with the new session at the security platform; extracting network slice information for user traffic associated with the new session at the security platform, comprising: parsing the HTTP/2 messages to obtain data type ‘SmContextCreateData’ or data type ‘PduSessionCreateData’; and extracting Single Network Slice Selection Assistance Information (S-NSSAI) from the data type ‘SmContextCreateData’ or the data type ‘PduSessionCreateData’ to obtain the network slice information; and determining a security policy to apply at the security platform to the new session based on the network name information and the network slice information.
18. The computer program product recited in claim 17 , wherein the security platform is configured with a plurality of security policies based on the network name information.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
September 10, 2019
October 20, 2020
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.